[pull] main from containerd:main

.github/workflows/api-release.yml

@@ -65,11 +65,11 @@ jobs:
     needs: [check]
     steps:
       - name: Download release notes
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: builds
       - name: Create Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           fail_on_unmatched_files: true

.github/workflows/codeql.yml

@@ -36,7 +36,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         # Override language selection by uncommenting this and choosing your languages
         # with:
         #   languages: go, javascript, csharp, python, cpp, java
@@ -46,4 +46,4 @@ jobs:
           make
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0

.github/workflows/release.yml

@@ -141,7 +141,7 @@ jobs:
     needs: [build, check]
     steps:
       - name: Download builds and release notes
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: builds
       - name: Attest Artifacts
@@ -152,7 +152,7 @@ jobs:
       - name: Rename attestation artifact
         run: mv ${{ steps.attest.outputs.bundle-path }} containerd-${{ needs.check.outputs.stringver }}-attestation.intoto.jsonl
       - name: Create Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           fail_on_unmatched_files: true

.github/workflows/scorecards.yml

@@ -49,6 +49,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # tag=v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # tag=v4.33.0
         with:
           sarif_file: results.sarif

.golangci.yml

@@ -1,11 +1,12 @@
 version: "2"
 linters:
   enable:
-    - copyloopvar # Checks for loop variable copies in Go 1.22+
-    - depguard # Checks for dependencies that should not be (re)introduced. See "settings" for further details.
-    - dupword # Checks for duplicate words in the source code
+    - copyloopvar  # Checks for loop variable copies in Go 1.22+
+    - depguard     # Checks for dependencies that should not be (re)introduced. See "settings" for further details.
+    - dupword      # Checks for duplicate words in the source code
     - gosec
     - misspell
+    - modernize    # Suggests modernizations to Go code; see https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/modernize
     - nolintlint
     - revive
     - unconvert
@@ -40,6 +41,11 @@ linters:
         - G301
         - G302
         - G304
+    modernize:
+      disable:
+        # TODO(thaJeztah): enable testingcontext once github.com/AdamKorcz/go-118-fuzz-build is updated.
+        # see https://github.com/containerd/containerd/pull/13022#discussion_r2937038804
+        - testingcontext
     staticcheck:
       checks:
         - all

api/releases/v1.11.0-beta.toml

@@ -0,0 +1,16 @@
+# commit to be tagged for new release
+commit = "HEAD"
+
+project_name = "containerd"
+github_repo = "containerd/containerd"
+sub_path = "api"
+ignore_deps = [ "github.com/containerd/containerd" ]
+
+# previous release
+previous = "api/v1.10.0"
+
+pre_release = true
+
+preface = """\
+The 12th release for the containerd 1.x API aligns with the containerd 2.3 release.
+"""

cmd/containerd-shim-runc-v2/runc/container.go

@@ -235,7 +235,7 @@ type Container struct {
 	Bundle string
 
 	// cgroup is either cgroups.Cgroup or *cgroupsv2.Manager
-	cgroup          interface{}
+	cgroup          any
 	process         process.Process
 	processes       map[string]process.Process
 	reservedProcess map[string]struct{}
@@ -273,14 +273,14 @@ func (c *Container) Pid() int {
 }
 
 // Cgroup of the container
-func (c *Container) Cgroup() interface{} {
+func (c *Container) Cgroup() any {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	return c.cgroup
 }
 
 // CgroupSet sets the cgroup to the container
-func (c *Container) CgroupSet(cg interface{}) {
+func (c *Container) CgroupSet(cg any) {
 	c.mu.Lock()
 	c.cgroup = cg
 	c.mu.Unlock()
@@ -479,7 +479,7 @@ func (c *Container) HasPid(pid int) bool {
 	return false
 }
 
-func loadProcessCgroup(ctx context.Context, pid int) (cg interface{}, err error) {
+func loadProcessCgroup(ctx context.Context, pid int) (cg any, err error) {
 	if cgroups.Mode() == cgroups.Unified {
 		g, err := cgroupsv2.PidGroupPath(pid)
 		if err != nil {

cmd/containerd-shim-runc-v2/runc/platform.go

@@ -36,7 +36,7 @@ import (
 )
 
 var bufPool = sync.Pool{
-	New: func() interface{} {
+	New: func() any {
 		// setting to 4096 to align with PIPE_BUF
 		// http://man7.org/linux/man-pages/man7/pipe.7.html
 		buffer := make([]byte, 4096)

cmd/containerd-shim-runc-v2/task/plugin/plugin_linux.go

@@ -33,7 +33,7 @@ func init() {
 			plugins.EventPlugin,
 			plugins.InternalPlugin,
 		},
-		InitFn: func(ic *plugin.InitContext) (interface{}, error) {
+		InitFn: func(ic *plugin.InitContext) (any, error) {
 			pp, err := ic.GetByID(plugins.EventPlugin, "publisher")
 			if err != nil {
 				return nil, err

cmd/containerd-shim-runc-v2/task/service.go

@@ -75,7 +75,7 @@ func NewTaskService(ctx context.Context, publisher shim.Publisher, sd shutdown.S
 	}
 	s := &service{
 		context:              ctx,
-		events:               make(chan interface{}, 128),
+		events:               make(chan any, 128),
 		ec:                   reaper.Default.Subscribe(),
 		cg1oom:               ep,
 		cg2oom:               oomv2.New(),
@@ -112,7 +112,7 @@ type service struct {
 	mu sync.Mutex
 
 	context  context.Context
-	events   chan interface{}
+	events   chan any
 	platform stdio.Platform
 	ec       chan runcC.Exit
 	cg1oom   oom.Watcher
@@ -635,7 +635,7 @@ func (s *service) Stats(ctx context.Context, r *taskAPI.StatsRequest) (*taskAPI.
 	if cgx == nil {
 		return nil, errgrpc.ToGRPCf(errdefs.ErrNotFound, "cgroup does not exist")
 	}
-	var statsx interface{}
+	var statsx any
 	switch cg := cgx.(type) {
 	case cgroup1.Cgroup:
 		stats, err := cg.Stat(cgroup1.IgnoreNotExist)
@@ -709,7 +709,7 @@ func (s *service) oomEvent(id string) {
 	}
 }
 
-func (s *service) send(evt interface{}) {
+func (s *service) send(evt any) {
 	s.events <- evt
 }
 

cmd/containerd/server/server.go

@@ -83,10 +83,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
 		return err
 	}
 	// chmod is needed for upgrading from an older release that created the dir with 0o711
-	if err := os.Chmod(config.Root, 0o700); err != nil {
+	// We ignore file permission issues due to non-standard rootless deployments that do not put the daemon in UserNS: https://github.com/containerd/containerd/issues/12520
+	// These deployments fundamentally cannot perform this migration without sudo intervention.
+	if err := os.Chmod(config.Root, 0o700); err != nil && !errors.Is(err, os.ErrPermission) {
 		return err
 	}
-
 	// For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
 	// Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
 	if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil {
@@ -107,7 +108,9 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
 			return err
 		}
 		// chmod is needed for upgrading from an older release that created the dir with 0o711
-		if err := os.Chmod(config.Root, 0o700); err != nil {
+		// We ignore file permission issues due to non-standard rootless deployments that do not put the daemon in UserNS: https://github.com/containerd/containerd/issues/12520
+		// These deployments fundamentally cannot perform this migration without sudo intervention.
+		if err := os.Chmod(config.TempDir, 0o700); err != nil && !errors.Is(err, os.ErrPermission) {
 			return err
 		}
 		if runtime.GOOS == "windows" {

cmd/ctr/commands/commands_windows.go

@@ -37,6 +37,6 @@ func init() {
 		})
 }
 
-func RuntimeOptions(cliContext *cli.Context) (interface{}, error) {
+func RuntimeOptions(cliContext *cli.Context) (any, error) {
 	return nil, nil
 }

cmd/ctr/commands/run/run_windows.go

@@ -174,7 +174,7 @@ func NewContainer(ctx context.Context, client *containerd.Client, cliContext *cl
 	}
 
 	runtime := cliContext.String("runtime")
-	var runtimeOpts interface{}
+	var runtimeOpts any
 	if runtime == "io.containerd.runhcs.v1" {
 		runtimeOpts = &options.Options{
 			Debug: cliContext.Bool("debug"),

core/diff/apply/apply_linux.go

@@ -77,10 +77,10 @@ func getOverlayPath(options []string) (upper string, lower []string, err error)
 	const lowerdirPrefix = "lowerdir="
 
 	for _, o := range options {
-		if strings.HasPrefix(o, upperdirPrefix) {
-			upper = strings.TrimPrefix(o, upperdirPrefix)
-		} else if strings.HasPrefix(o, lowerdirPrefix) {
-			lower = strings.Split(strings.TrimPrefix(o, lowerdirPrefix), ":")
+		if after, ok := strings.CutPrefix(o, upperdirPrefix); ok {
+			upper = after
+		} else if after, ok := strings.CutPrefix(o, lowerdirPrefix); ok {
+			lower = strings.Split(after, ":")
 		}
 	}
 	if upper == "" {

core/metrics/cgroups/cgroups.go

@@ -48,7 +48,7 @@ func init() {
 			plugins.EventPlugin,
 		},
 		Config: &Config{},
-		ConfigMigration: func(ctx context.Context, configVersion int, pluginConfigs map[string]interface{}) error {
+		ConfigMigration: func(ctx context.Context, configVersion int, pluginConfigs map[string]any) error {
 			if configVersion >= version.ConfigVersion {
 				return nil
 			}
@@ -66,7 +66,7 @@ func init() {
 }
 
 // New returns a new cgroups monitor
-func New(ic *plugin.InitContext) (interface{}, error) {
+func New(ic *plugin.InitContext) (any, error) {
 	var ns *metrics.Namespace
 	config := ic.Config.(*Config)
 	if !config.NoPrometheus {

core/metrics/cgroups/metrics_test.go

@@ -92,12 +92,10 @@ func TestRegressionIssue6772(t *testing.T) {
 	errCh := make(chan error, 1)
 
 	var wg sync.WaitGroup
-	for i := 0; i < maxItem; i++ {
+	for i := range maxItem {
 		id := i
-		wg.Add(1)
 
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 
 			err := collector.Add(
 				&mockStatT{
@@ -110,7 +108,7 @@ func TestRegressionIssue6772(t *testing.T) {
 			if err != nil {
 				errCh <- err
 			}
-		}()
+		})
 	}
 
 	finishedCh := make(chan struct{})

core/mount/mount_freebsd.go

@@ -48,7 +48,7 @@ func (m *Mount) mount(target string) error {
 	// cmd.CombinedOutput() may intermittently return ECHILD because of our signal handling in shim.
 	// See #4387 and wait(2).
 	const retriesOnECHILD = 10
-	for i := 0; i < retriesOnECHILD; i++ {
+	for range retriesOnECHILD {
 		cmd := exec.Command("mount", args...)
 		out, err := cmd.CombinedOutput()
 		if err == nil {

core/mount/mount_idmapped_linux_test.go

@@ -47,7 +47,7 @@ func BenchmarkBatchRunGetUsernsFD_Concurrent10(b *testing.B) {
 func benchmarkBatchRunGetUsernsFD(n int) {
 	var wg sync.WaitGroup
 	wg.Add(n)
-	for i := 0; i < n; i++ {
+	for range n {
 		go func() {
 			defer wg.Done()
 			fd, err := getUsernsFD(testUIDMaps, testGIDMaps)

core/mount/mount_linux.go

@@ -369,10 +369,10 @@ func parseMountOptions(options []string) (opt mountOpt) {
 			}
 		} else if o == loopOpt {
 			opt.losetup = true
-		} else if strings.HasPrefix(o, "uidmap=") {
-			opt.uidmap = strings.TrimPrefix(o, "uidmap=")
-		} else if strings.HasPrefix(o, "gidmap=") {
-			opt.gidmap = strings.TrimPrefix(o, "gidmap=")
+		} else if after, ok := strings.CutPrefix(o, "uidmap="); ok {
+			opt.uidmap = after
+		} else if after, ok := strings.CutPrefix(o, "gidmap="); ok {
+			opt.gidmap = after
 		} else {
 			opt.data = append(opt.data, o)
 		}
@@ -552,7 +552,7 @@ func (m *Mount) mountWithHelper(helperBinary, typePrefix, target string) error {
 	// cmd.CombinedOutput() may intermittently return ECHILD because of our signal handling in shim.
 	// See #4387 and wait(2).
 	const retriesOnECHILD = 10
-	for i := 0; i < retriesOnECHILD; i++ {
+	for range retriesOnECHILD {
 		cmd := exec.Command(helperBinary, args...)
 		out, err := cmd.CombinedOutput()
 		if err == nil {

core/mount/mount_windows.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 
 	"github.com/Microsoft/go-winio/pkg/bindfilter"
@@ -256,20 +257,10 @@ func GetCimPath(m *Mount) (string, error) {
 
 // GetEnableLayerIntegrity checks if the enableLayerIntegrity flag is present in mount options
 func GetEnableLayerIntegrity(m *Mount) bool {
-	for _, option := range m.Options {
-		if option == EnableLayerIntegrityFlag {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(m.Options, EnableLayerIntegrityFlag)
 }
 
 // GetAppendVHDFooter checks if the appendVHDFooter flag is present in mount options
 func GetAppendVHDFooter(m *Mount) bool {
-	for _, option := range m.Options {
-		if option == AppendVHDFooterFlag {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(m.Options, AppendVHDFooterFlag)
 }

core/remotes/docker/config/hosts.go

@@ -583,7 +583,7 @@ func getSortedHosts(b []byte) ([]string, error) {
 	return hostsInOrder, nil
 }
 
-// makeStringSlice is a helper func to convert from []interface{} to []string.
+// makeStringSlice is a helper func to convert from []any to []string.
 // Additionally an optional cb func may be passed to perform string mapping.
 func makeStringSlice(slice []any, cb func(string) string) ([]string, error) {
 	out := make([]string, len(slice))

core/remotes/docker/errcode.go

@@ -147,7 +147,7 @@ func (e Error) WithDetail(detail any) Error {
 	}
 }
 
-// WithArgs uses the passed-in list of interface{} as the substitution
+// WithArgs uses the passed-in list of args as the substitution
 // variables in the Error's Message string, but returns a new Error
 func (e Error) WithArgs(args ...any) Error {
 	return Error{

core/runtime/v2/shim_windows.go

@@ -71,8 +71,7 @@ func openShimLog(ctx context.Context, bundle *Bundle, dialer func(string, time.D
 	dpc := &deferredPipeConnection{
 		ctx: ctx,
 	}
-	dpc.wg.Add(1)
-	go func() {
+	dpc.wg.Go(func() {
 		c, conerr := dialer(
 			fmt.Sprintf("\\\\.\\pipe\\containerd-shim-%s-%s-log", ns, bundle.ID),
 			time.Second*10,
@@ -81,8 +80,7 @@ func openShimLog(ctx context.Context, bundle *Bundle, dialer func(string, time.D
 			dpc.conerr = fmt.Errorf("failed to connect to shim log: %w", conerr)
 		}
 		dpc.c = c
-		dpc.wg.Done()
-	}()
+	})
 	return dpc, nil
 }